Blog

Phishing: Need to create more accurate criminal legislation

Julkaisupäivä
1.6.2013 22:30

In a brief comparative study I have made on the legislation of various Latin American countries in order to make it known in this blog, I have found an almost complete absence of criminal laws that punish as a crime the phishing or capture personal data, especially financial type, using social engineering techniques, in order to obtain economic benefits against the victim’s economic interests.

Phishing, as its name implies, is the action of "fishing" or pick up economic data from people who, due ignorance or gullibility, are lured to provide credit information, bank account numbers, credit cards’ numbers, key access, user names, and in general any financial data that an unscrupulous third person could use to obtain an economic advantage on the victim’s monetary assets.

From a legal point of view, such conduct could be described as a form of traditional fraud (although it is not exactly computer-related forgery or computer-related fraud because they require other precisions) where certain elements that are common to both figures concur. Thus, the basic elements of the traditional fraud are the deception to the victim and the asset transfer, as we can saw in a recent post. If any of both elements are absent, we could not say that there is a crime. There are undeniable similarities with the fraud figure in the recollection of financial data. It was understood that way in the Penal Code of Spain which, in its article 248, paragraph 2, states:

"Article 248:

1.- (…)

2.- Also will be considered as prisoners of fraud:

a) Those who, for profit and using any computer manipulation or such artifice, obtain an unconsented transfer of any patrimonial asset, with prejudice of another.

b) Those who build, introduce, held or facilitate computer programs specifically intended for the commission of frauds referred in this article."

The deception occurs when the offenders present a problematic scenario to the victim in which his actions are required to correct the difficulties. The typical case is an apparently official email sent to the possible victim that indicates, for example, that his bank has closed his bank account, or else, that he should provide some financial data of special importance, such his user name and password access, the credit card numbers, along with the expiration date and the three digits identification numbers on the back. Similarly, the email could include a hyperlink to send the user to an identical page like the bank’s official website, but in this case we would be rather facing a case of pharming or illicit spoofing of Web pages, which also lies within these categories of fraud through the use of electronic means.

Another very common way to achieve this distorted objective is through the use of programs that capture the activity of the user keypad (called keylogger programs) in which it is easy to see the websites visited by the victim, his username and passwords to access the Web or emails programs, whereupon the offender manages confidential information through the record of the keys that the user has pressed. Subsequently, the information thus obtained is sent automatically to another computer or Web site controlled by the offender, who may access the bank accounts of the victim without problem. Phishing can be done even by a simple phone call.

Here are several considerations that contribute to ease the offence perpetration. First, there is much naivety and lack of malice of the victims (those who come to believe indeed that their financial data delivery responds to a normal or official bank transaction). Secondly, for some people to use the Internet to carry out bank transactions can still classified as innovative. A third element is that phishing is clearly a criminal conduct committed with relative ease because even the banks not always bother to put sufficient knowledge or security measures to their customers nor provide education to potential victims.

Given this situation, and despite to face a typical computer crime, the Latin American laws have maintained a passive attitude to punish this criminal offence, perhaps by ignorance of the legislator or lack of actions of practitioners in law or the investigative police, who may think that such conduct is duly punished by the crime of traditional fraud or forgery. But that point of view is not so accurate. From the study carried out in various laws system in South America, I conclude that the creation of specific and more precise criminal types to give a punitive response to a conduct that is fairly common is really necessary.

In this sense, perhaps the oldest example of criminal legislation that tries to penalize this misconduct is in the Dominican Republic, issued by Law No.53-07 Against Crimes and Offences of High Technology, where is typified by high-tech theft, illicit fund-raising, electronic transfer of funds and fraud via electronic ways:

Article 14.-Illicit fund raising. The fact of obtain funds, credits or values through the constraint of the legitimate user of an electronic, telematics or telecommunication financial service, shall be punished with a penalty of 3 to 10 years of imprisonment and a fine of one hundred to five hundred times the minimum wage.

Paragraph.-Electronic funds transfers. The realization of electronic funds transfers through the illegal use of codes of access or any other similar mechanism shall be punished with the penalty of one to five years of imprisonment and a fine of two to two hundred times the minimum wage.

Article 15.- Fraud. The fraud carried out through the use of electronic, computer, telematics or telecommunications means, shall be punished with a sentence of three months to seven years in prison and a fine of ten to five hundred times the minimum wage.

"Article 173.- Without prejudice of the preceding article’s general provision, shall be considered as special cases of forgery and will suffer the penalty that it establishes:

1.- (...)

2.- (…)

15.- Those who defraud through the use of a purchase, credit or debit card, when it has been falsified, adulterated, taken, stolen, lost or obtained from the legitimate sender by ruse or deception, or the unauthorized use of their data, although the fact had been done through automatic operation.”

In Latin America, I have found that perhaps the more precise criminal norms where phishing is punished are included in the Penal Code of Colombia, by two criminal types that were added by law No.1273 of 2009. This law penalizes the theft by electronic means and the unconsented transfer of assets through technological artifices:

"Article 269I: Theft by computer and similar means. The one who, overcoming measures of informatics security, perform the conduct referred in article 239manipulating a computer system, a network of electronic or telematics system, or other similar method, or impersonating a user in systems of authentication and authorization, will incur in the penalties indicated in article 240 of this code."

"Article 269J: Unconsented transfer of assets. The one who, with aim of profit and using any computer manipulation or such artifice, get a not consent transfer of any asset with detriment of a third person, while the conduct does not constitute a crime punishable by a more severe penalty, shall incur a prison sentence of forty-eight (48) to one hundred twenty (120) months and fine from 200 to 1,500 monthly minimum wages. The same sanction will be imposed to the one who manufactures, enter, possess or provide computer program aimed to the commission of the offence described in the preceding incise, or for a fraud."

Other norm relatively recent that seeks to penalize the unlawful obtaining of financial data (although is not so accurate as it should be because it confuses phishing and pharming) is in article 233 of the Penal Code of Costa Rica, which was modified through law No.9048 of 2012 in the form we can see:

"Article 233- Supplantation of electronic Websites.-

Will be imposed a prison sentence of one to three years to the one who to supplant legitimate sites from the Internet network in detriment of a third person

The penalty shall be three to six years in prison when, as a consequence of the legitimate Website supplantation and through deception or incurring in error, capture confidential information from a person or legal entity for its own or a third person benefit."

These are examples of norms that I've found in the Latin American criminal legislation that somehow punishes the phishing as cybercrime. I did not find similar criminal types in the laws of Brazil, Ecuador, Paraguay, Bolivia, Peru, Mexico or Chile.

In the case of Mexico, there is a major initiative of law presented in March 2012, which has not been incorporated yet in the Federal Penal Code. The draft legislation aims to match the crime of fraud and to punish with a penalty of six months to three years of imprisonment and 100 to 400 days fine to the one

"who using the error in which the victim is, provoke to reveal or put at its disposal information or personal, patrimonial or financial data that does not have right of access, using sites or email addresses or other electronic media created by himself or by a third person for such purposes."

This situation leads us to conclude that still it takes more legislative efforts to include the new criminal types that current technological reality requires. Suppose that such cybercrime is located within the traditional penal type of forgery or fraud is not enough.

What criminal type is used in your country to punish phishing?

If there is no a criminal type to punish it, is there any legislative initiative to criminalize such conduct?